Podcast by Dr. Bjorn Mercer, Program Director, Communication, Philosophy, Religion, World Languages and
Dr. Kevin Harris, Faculty Member, Cybersecurity, Information Systems Security and Information Technology
Cybersecurity is everyone’s responsibility, not just IT or technical professionals. In this episode, Dr. Bjorn Mercer talks to cybersecurity professor Dr. Kevin Harris about the rise in hacking and ransomware attacks on organizations. Learn why it’s important for companies to invest in programmers and technical personnel who have the skills needed to protect networks while also training all employees—especially executives—about cybersecurity best practices and cyber threats. Also learn what the government can do to establish regulations and also provide incentives and assistance to companies encouraging them not to pay ransoms if they are attacked by hackers.
Listen to the Episode:
Read the Transcript:
Dr. Bjorn Mercer: Hello, my name is Dr. Bjorn Mercer, and today we’re talking to Dr. Kevin Harris, faculty in the School of STEM. Today our conversation is about hack and hackings. Welcome, Kevin.
Dr. Kevin Harris: Thank you very much for having me. I really appreciate the opportunity to talk about this topic that seems to keep growing.
Dr. Bjorn Mercer: It does. It does. This really rolls into the first question, which is why are large-scale hacks more of an issue today than say even 10 years ago?
Dr. Kevin Harris: Yeah. If you talk about even 10 years ago, it certainly was there. But I think one of the things that’s changed in our current environment is just the amount of data that organizations are capturing at one time. So if an organization is exploited, the amount of data that they’re able to get is just a tremendous amount. So I think that started even before we moved data to the cloud, when the data storage just became fairly inexpensive. So organizations and individuals also just started capturing more data.
And also now with the global nature, just the scope and the impact of a hack has continued to grow. So I think that’s one of the differences, is just we’ve got large amounts of data is held by so many different organizations.
Dr. Bjorn Mercer: I like that you brought up the cloud. For us non-tech people out there, we use machines, we use our phones, and we know there’s data, but we oftentimes don’t think about where it’s going or privacy agreements we just mindlessly agree to. With so much out there, what responsibility does the U.S. government have in helping to protect U.S. citizens and U.S.-based companies?
Dr. Kevin Harris: Yeah, I think one of the first things that the government can do is set an example. The government is someplace that we have to store certain information. I mean, we’ve got to give our social security number to the Social Security [Administration] when we apply for a passport. We’re giving over a lot of information to the government, so they should take the appropriate first steps to make sure they’re setting example to other companies of securing our information.
But also they can serve as that bridge and be an opportunity for organizations to form a coalition, so they reach out to whether it’s your private sector, whether it’s a higher education institution and just say, “Hey, can we all get together and sit down and address this problem, that’s a huge problem that no one can solve by themselves?” So I think that’s a big role that the government have, is just being that bridge.
Dr. Bjorn Mercer: I like how you said being that bridge. So, part of my question though is, in helping protect U.S.-based companies, but so many companies today are multinational. How do multinationals complicate everything, especially with something like TikTok, where during the Trump administration, they, I guess, threatened to pull it and then that didn’t happen? But by protecting U.S.-based companies, or I should say products in the U.S., doesn’t mean that they’re not based in other countries.
Dr. Kevin Harris: Yeah. Unfortunately, that’s one of the differences that tech brings in, the internet brings in, and companies that operate in this global internet based market, they’ve got to make sure they’re aware of the different regulations and abide by those regulations, whether it’s U.S. regulation or whether it’s a foreign regulation, such as GDPR. The thing companies can do the most is make sure they’re following the most restrictive policy to secure everyone. So if they’re operating in one country that’s more restrictive than another, they shouldn’t take the easy way out and say, “Hey, we’re only going to apply that set of rules there.” They need to figure out what the best practice is and apply it globally.
Dr. Bjorn Mercer: That’s great. So that really brings us to the next question is building on collaboration. There was a recent meeting in the Biden administration held with private sector leaders to discuss new initiatives to bolster the nation’s cybersecurity. What were some of the takeaways from that meeting?
Dr. Kevin Harris: I think a couple of things that came out of that meeting, just who was there. As I said before, collaboration’s important. So in that meeting, you had private sector, big tech companies: Google, Apple, Microsoft, Amazon, was there, able to contribute. Then you also had higher education institutions that were part of these discussions. So how can we work together going forward? There were some insurance carriers that were there, which is becoming to be a large area in the cyber space, when we talk about companies offering cyber insurance. So in the event of a breach, the organization is covered similar to if an organization experienced a fire. So the fact that they were all there was huge.
I think one thing that might be a continued conversation is for years discussions were had around that it was more effective for organizations to purchase and take part of commercial software instead of developing it in-house with a proprietary software. So that was the trend for many years.
I think now we’re recognizing that trend also has contributed to organizations not having as many programmers on staff because they are not having to develop as much code in-house.
So that’s another place when we talk about large scale attacks, because when these commercial software packages are exploited, whether it’s the SolarWinds attacks that we saw previously last year, it impacts so many different organizations. So I think that’s another thing that we can build on, is just rebuilding some of these programming pipelines. That was even brought up in this meeting that you referenced recently, of open-source coding so that we’re not relying on, as an organization, strictly commercial software.
Dr. Bjorn Mercer: I can see that. It really makes me think of the hacks that have occurred within the last few years. There’s so many different companies, so many different platforms and technology and age of technology that has gone into these different hacks.
How can a company make a decision, if they are hacked and if the hackers are like, “Just pay us $5 million, you’re back to normal”? And if every day they’re bleeding $10 million, $5 million doesn’t seem like a lot.
But the U.S. government, of course, I think doesn’t want companies to do that because that’ll just embolden more hackers. So how does the government intervene and why should there be a third-party insurance when it should be about ideally the government being there to protect, but also individual companies not paying ransoms, but that also paying ransoms could be cheaper? It’s confusing.
Dr. Kevin Harris: Yeah, definitely. I think that’s one of the things, of course, the government advises companies never to pay the ransom, but at the end of the day, like you said, most companies, while they want to do the right thing to be a good digital citizen, if you will, and not pay ransom, they’re of course looking out for their profits, if you will. So they’ve got to make some decisions based off of finances.
In that example that you include, the ransom is $5 million and they’re losing $10 million a day, for a business perspective, it’s going to lead them possibly to pay the ransom. I think maybe the government could provide some extra incentives for companies that don’t pay a ransom. Whether those incentives are possibly companies that follow a certain framework and don’t pay a ransom, the government may provide some extra support, whether it’s cyber teams to help them mitigate an attack, that if a company does pay the ransom, they don’t have those extra resources provided to them. That potentially could be an incentive to organizations.
I think maybe even providing certain liability caps or caps on lawsuits, that if companies are following a framework and if part of that framework is not paying ransoms that says this company, your legal liability is limited.
Dr. Bjorn Mercer: That totally makes sense because from a company’s perspective, revenue in is really the most important thing. And if that revenue is endangered, and if it can be put back online with really just, honestly, minimal payment out over a year’s time, it totally make sense. But at the same time, everybody’s watched enough movies and the U.S. government or governments in general, they don’t make deals with bad agents. But at the same time, it is very difficult when there’s so much out there and there’s so many hackers that honestly are brilliant.
So from a private sector perspective, or even the government, how do you deal with what I would describe as the brain drain, in which there’s people out there who are very good, very tech savvy, who are essentially working for “the bad guys,” but they’re doing something that is essentially hacking?
Dr. Kevin Harris: Yeah. I think first step is when you make a decision to collect data, is this data that you really need? Because the very fact that you collect it is putting it at risk. Then how do you provide access? If you’re providing access via the internet, that’s increasing your risk. So really making sure that you’re limiting access to sensitive information and really that you don’t collect information that you really don’t have a need for. I think that’s the first step.
Then to being aware that there are these risks, and I think that’s a lot of time, even IT experts and whether why this is becoming more important across the organization, that people may believe that it can’t happen to us because of whether we’ve got the best cyber team or whether we don’t have enough “important data,” which everyone does. I think that’s something to realize, is just everybody needs to be cyber aware, that there are potential risks no matter how well protected you are.
Dr. Bjorn Mercer: I like that because everybody has data that can be used. If there’s hackers, and most of them are brilliant, of course, they’ll do a variety of hacks to collect data points and then put them all together. And then from that, they’ll be able to have something that they can use in however way they want to use that. So the next question, Kevin, is what can individuals do to prevent attacks?
Dr. Kevin Harris: Well, I think one thing of being aware. So many individuals that I speak with, they find an app on their phone, they just click accept to the permissions. I mean, I think that’s tip one, is just realizing what permissions are we giving away, whether that’s on our phone, through our app or the ability for using a mobile device and connecting away from our office, even at home, is just recognizing the potential risks that are there. I think that’s the first step.
Again, similar to organizations collecting data, we don’t even want to take a picture of something that could be sensitive, email, personal information, such as socials, using that in emails, whether it’s to somebody that we’re doing business with, whether it’s to a spouse, or we’re filling out paperwork, to recognize that this information could be used by an attacker. I think also just realizing that the responsibility to protect our data is not just the responsibility of the IT department and the cyber department, that everyone plays a role in this, no matter what your role in the company is.
Dr. Bjorn Mercer: I like that, no matter what your role is, because it even makes me think of whenever I get texts or even emails, where it’s coming from someone I don’t know, I never click on any of those links. Step one, you just never know that. I even think of one time where I got a link from my father-in-law, which was a link from TikTok, and I automatically deleted it because I was like, “My father-in-law doesn’t have TikTok.” Now the next question is, what has changed in who is required to have cybersecurity skills?
Dr. Kevin Harris: I think this builds on the last topic, is when we look at whether it was five years ago, 10 years ago, when we talked about cybersecurity skills, who needs that, we would have said, “That’s the IT department. Wherever the IT department is, the group behind the doors, sometimes that’s who should go to these types of trainings, the technical trainings.”
But now, because so many decisions that an organization makes can place that organization at a risk when it comes to cybersecurity, everyone, no matter what your role, and that changes from your business leaders to your C-suite executives to your board members, it’s important for all of them to understand the risk threats that are out there for the organizations.
Because a lot of times when resources are divvied up, if they aren’t provided with the individuals making these decisions don’t have the right information, the right threat level awareness, then they potentially could cut funding from a group that potentially needs it or also make a decision to give access to data without knowing the full risk.
So I think it moves from just IT individuals to everyone at an organization is required all the way from the board down through junior team members.
[Download the online magazine for business professionals: Preventing a Cyberattack: A Guide to Cyber Readiness]
Dr. Bjorn Mercer: I like that. It is everybody’s responsibility and it’s very easy to see how sometimes departments or whatever can get cut. And then if that happens, important resource and talent could be lost. What are some say communication skills that cybersecurity experts can use to really help convince, say leadership of how important cybersecurity is without going into, if you don’t do this, everything’s going to fall apart, if you don’t do this, without saying the sky’s falling all the time?
Dr. Kevin Harris: I think one thing with that is understanding the business. I think that’s one of the most important things that a cybersecurity professional can do, is understand what business they’re working in and what’s important, and make sure that everything that they’re suggesting is tied to the mission of that organization. So they can, if you will, talk the talk of that company without being Chicken Little, the sky is falling. So understanding the business role.
Dr. Bjorn Mercer: I completely agree, understanding the business role. Is there any certain sector, say finance or whatever, that does a particularly good job with cybersecurity, in your own opinion?
Dr. Kevin Harris: Yeah. I mean, I think if we look at healthcare, of course there are some challenges. I think that’s one area that there has been a lot of movement in, the healthcare industry, just because of the risks that are there. I mean, even if you look at healthcare, the pandemic, I think has shown us a lot that has required healthcare to be nimble and change. So even if we look at having to do telehealth, that’s something that I think a lot of providers have done in a very secure manner. Some of those platforms are really secure. So I’d say that’s one that just comes off the top of my head.
Dr. Bjorn Mercer: Excellent. For those who are interested in cybersecurity, do you recommend an associate’s, a bachelor’s, a master? What’s the best combination of skills and education that allows them to have, say a good, healthy long career?
Dr. Kevin Harris: That’s another great thing about the cyber field. I just say yes to all of those. There’s so many different paths into cyber and so many different things that we think of as cyber. I’d say look for your passion. And regardless of if your passion is truly technical and you want to go a technical route and help protect organizations, you can look at that. If you want to be a business leader that’s in cyber, you can go that route. If you’re a policy-type person, you can address cyber through those needs. So really there’s no good path or good way to go in. Just take that first step, whether it’s a certificate, whether it’s an associate’s degree, whether it’s a bachelor’s, a master’s, if you’re wanting to refocus, and then go from there.
I mean, you may go in as a technician and protect organizations for several years and then decide you want to move up into an executive level. So that might mean that you go back and you re-skill with some project management or at a master’s level to give you some budget experience. So there’s no right answer to that. It’s just whatever you’re comfortable with.
Dr. Bjorn Mercer: That totally makes sense, because it really depends on where you are in your career. If you’re early in a career, associate’s, bachelor’s totally makes sense, and as you get later and later in your career, re-tooling, re-focusing can help with a master’s. It really depends on the individual and what you need for your own career. And today, absolutely wonderful conversation, Kevin. Any final words?
Dr. Kevin Harris: I just enjoy this opportunity, and I think we’ll just continue to build on these conversations. And also, I think one of the things that want to realize, it’s truly a collaborative approach, including small businesses, large corporations, not for profits, higher ed, all in this fight to secure our nation’s digital assets. So, thanks for this opportunity to talk hack and hacking.
Dr. Bjorn Mercer: Excellent. Thank you. Today, we were speaking with Dr. Kevin Harris about hack and hacking. My name is Dr. Bjorn Mercer. Thank you for listening.